TL;DR

GlassWorm, an active malware campaign since March 2025, has evolved to compromise 151 GitHub repositories (March 3-9, 2026) and 72 malicious Open VSX extensions (since January 31, 2026) using invisible Unicode characters to hide malicious payloads. The campaign abuses VS Code's extensionPack and extensionDependencies features to deliver malware transitively, steals developer credentials via Solana blockchain-based C2, and evades detection through Russian locale geofencing and AI-generated cover commits [1][2][3]. If your team uses VS Code extensions or pulls from GitHub, audit your dependencies immediately.​‌‌​​‌‌‌‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌‌​​‌‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​​​‌​‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌

The Invisible Threat Hiding in Plain Sight

Between March 3 and March 9, 2026, at least 151 GitHub repositories were compromised by a threat actor tracked as GlassWorm, which hides malicious payloads in Unicode Private Use Area (PUA) characters — ranges 0xFE00 through 0xFE0F and 0xE0100 through 0xE01EF that render as zero-width whitespace in virtually every code editor and terminal [2][4]. To a human reviewing a pull request, the injected code appears as an empty string. But when the JavaScript runtime encounters it, a small decoder extracts the hidden bytes and passes them to eval(), executing a full malicious payload [2]

[4].

This is not a new technique — GlassWorm has been active since at least March 2025, when Aikido Security first discovered malicious npm packages using the same invisible Unicode method [2]. By October 2025, the attacker had expanded to Open VSX extensions, and by March 2026, launched a coordinated mass campaign across GitHub, npm, and VS Code marketplace [1][2][3].​‌‌​​‌‌‌‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌‌​​‌‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​​​‌​‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌

Why This Matters for Your Business

For SMBs with software teams, this attack targets the developer workstation — the machine with access to source code, CI/CD tokens, cloud credentials, and production secrets. Once executed, the GlassWorm payload establishes a foothold that can exfiltrate:

  • GitHub tokens and repository access
  • CI/CD pipeline credentials (Jenkins, GitHub Actions, GitLab CI)
  • Cloud API keys (AWS, Azure, GCP)
  • Database connection strings
  • SSH keys and deployment credentials
  • Environment variables from .env files

The attack is particularly dangerous because it bypasses visual code review — the malicious code is literally invisible to the human eye. Standard linters and static analysis tools won't catch it unless they specifically scan for PUA Unicode characters [2][4].

How GlassWorm Works: The Technical Breakdown

Phase 1: Invisible Unicode Injection

The attack begins with a commit that appears legitimate. Researchers at Aikido Security note that the malicious injections don't arrive in obviously suspicious commits. Instead, they take the form of version bumps, small refactors, documentation tweaks, and bug fixes that are "stylistically consistent with each target project" [2]. This level of project-specific tailoring strongly suggests the attackers are using large language models (LLMs) to generate convincing cover commits — manually crafting 151+ bespoke code changes across different codebases simply isn't feasible at this scale [2].

Buried within these commits is the invisible Unicode payload. Here's what the decoder pattern looks like (note the apparent gap in the empty backticks):

const s = v => [...v].map(w => (
  w = w.codePointAt(0),
  w >= 0xFE00 && w <= 0xFE0F ? w - 0xFE00 :
  w >= 0xE0100 && w <= 0xE01EF ? w - 0xE0100 + 16 : null
)).filter(n => n !== null);

eval(Buffer.from(s(``)).toString('utf-8'));

The backtick string passed to s() looks empty in every viewer, but it's packed with invisible characters that decode to a full malicious payload [2].

Phase 2: Solana-Based Command-and-Control

Once decoded and executed, the payload fetches and executes a second-stage script using the Solana blockchain as a delivery channel [1][4]. This is a sophisticated technique:

  • Dead drop resolver: The malware reads Solana transaction memos to retrieve the C2 server address, making the infrastructure resilient to takedowns — blockchain transactions cannot be modified or deleted [3][4].
  • Infrastructure rotation: The campaign has shifted from Solana wallet BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC to 6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ, adding new C2 IPs 45.32.151.157 and 70.34.242.255 while continuing to reuse 45.32.150.251 [3].
  • Execution guardrails: The malware uses Russian locale and timezone geofencing to avoid infecting systems in Russian locales, likely to evade detection by Russian security researchers or law enforcement [3][4].

Phase 3: Credential and Secret Theft

The ultimate goal is credential harvesting. Once established on a developer workstation, the malware searches for:

  • Tokens and credentials stored in configuration files
  • Environment variables (especially from .env files)
  • CI/CD pipeline secrets (Jenkins, GitHub Actions tokens)
  • Cloud provider credentials (AWS, Azure, GCP API keys)
  • SSH keys and private certificates
  • Cryptocurrency wallet keys (historically targeted by GlassWorm) [1][4]

These exfiltrated credentials give the attacker persistent access to your infrastructure, enabling data theft, ransomware deployment, or supply chain propagation to your customers.

The New Transitive Dependency Attack Vector

The most alarming evolution in the March 2026 wave is GlassWorm's abuse of VS Code extension relationships. On March 13, 2026, Socket Research reported identifying at least 72 additional malicious Open VSX extensions that use a new transitive delivery technique [1][3].

Abusing extensionPack and extensionDependencies

VS Code and compatible editors support two manifest fields in package.json:

  • extensionPack: Bundles related extensions together (e.g., a "PHP Development" pack that includes a debugger and language server).
  • extensionDependencies: Declares extensions required for the parent extension to function [3].

When a user installs an extension with these fields, the editor automatically installs every referenced extension. Critically, any extension author can declare any other extension — no trust relationship required [3].

GlassWorm's new technique:

  1. Attacker publishes an extension that appears benign and standalone.
  2. Developer installs and trusts the extension.
  3. In a later update, the attacker adds extensionPack or extensionDependencies referencing a separate GlassWorm loader.
  4. The editor automatically installs the malicious dependency in the background [1][3].

This means an extension that looked safe when you installed it can become malicious through an update — and standard one-time code reviews won't catch it.

Real-World Examples

Socket confirmed this pattern in several extensions:

  • otoboss.autoimport-extension references oigotm.my-command-palette-extension and federicanc.dotenv-syntax-highlighting (confirmed GlassWorm-linked) [3].
  • twilkbilk.color-highlight-css — a typosquat of the legitimate color-highlight extension, showing 3,500 downloads (likely inflated to appear credible) [3].
  • daeumer-web.es-linter-for-vs-code — publisher name is a direct typosquat of legitimate ESLint publisher dbaeumer [3].

The extensions impersonate widely-used tools: ESLint, Prettier, code runners, Angular/Flutter/Python tooling, WakaTime, Better Comments, and AI assistants like Claude Code, Codex, and Antigravity [1][3].

Business Impact and Risk Assessment

For SMBs with Development Teams

If your business employs developers who use VS Code or pull from public GitHub repositories, your risk factors include:

Risk Factor Impact Likelihood
Credential theft from developer workstations High (access to source code, CI/CD, cloud) Medium-High
Supply chain compromise via GitHub dependencies High (can propagate malware to customers) Medium
CI/CD pipeline takeover Critical (production deployment access) Low-Medium
Cloud infrastructure compromise High (AWS/GCP/Azure access) Medium
Data breach via exfiltrated secrets High (customer data, IP) Medium

Notable Targets Validate the Threat

Among the 151 compromised GitHub repositories are several well-known projects with meaningful star counts [2]:

  • pedronauck/reworm — 1,460 stars
  • pedronauck/spacefold — 62 stars
  • anomalyco/opencode-bench — 56 stars (from anomalyco, the organization behind OpenCode and SST)
  • doczjs/docz-plugin-css — 39 stars
  • wasmer-examples/hono-wasmer-starter — 8 stars (Wasmer is a WebAssembly runtime)

These are real projects that developers depend on. If your team uses any of these libraries or similar packages, you may have inadvertently pulled malicious code.

Defensive Actions: What to Do Right Now

Immediate Steps (Next 24 Hours)

  1. Audit VS Code extensions on all developer workstations:

    code --list-extensions --show-versions

    Cross-reference against the full list of 72 malicious extensions [3].

  2. Check for invisible Unicode in your repositories:

    # Search for the decoder pattern
grep -r "0xFE00" . || echo "No matches found"

    Or use Aikido's free malware detection [2].

  3. Rotate exposed credentials if you find suspicious extensions:

    • GitHub personal access tokens
    • CI/CD pipeline secrets (Jenkins, GitHub Actions, GitLab CI)
    • Cloud API keys (AWS, Azure, GCP)
    • Database credentials
    • SSH keys

  4. Review extension version history for newly introduced extensionPack or extensionDependencies:

    # For each installed extension, check versions
code --list-extensions | while read ext; do
  echo "Checking: $ext"
done

Long-Term Defenses

  1. Implement automated scanning for invisible Unicode in CI/CD pipelines — tools like Aikido and Socket can detect these payloads automatically [2][3].

  2. Require security review for extension updates — not just initial installation. Monitor for manifest changes in later versions [3].

  3. Lock dependency versions in package-lock.json, yarn.lock, or pnpm-lock.yaml to prevent automatic updates to compromised versions.

  4. Segment developer workstations from production infrastructure — developers shouldn't have direct access to production credentials from their dev machines.

  5. Use GitHub's Dependabot and security advisories to receive alerts about compromised dependencies.

The Larger Context: Supply Chain Attacks Are the New Normal

GlassWorm is part of a broader trend: software supply chain attacks are increasing because they're efficient. Instead of attacking your defenses directly, attackers compromise the tools and libraries you trust.

Recent precedents include:

  • SolarWinds (2020): Compromised build process delivered malware to 18,000+ customers via Orion updates.
  • Codecov (2021): Uploader script modified to exfiltrate credentials from CI environments.
  • Event-stream (2018): Malicious npm package stolen Bitcoin from developer wallets.
  • ua-parser-js (2021): 1,800+ packages infected via malware in a popular dependency.

GlassWorm is notable for its use of invisible Unicode and blockchain-based C2, but the core strategy — compromising developer tools to steal credentials — is well-established [1][2][4].

Why AI Makes This Worse

Researchers strongly suspect GlassWorm is using LLMs to generate cover commits [2]. This lowers the attacker's cost: instead of manually crafting 151 realistic code changes, an AI can generate them automatically. As AI coding assistants become more common, we should expect:

  • More sophisticated cover commits that are harder to detect
  • Faster propagation across multiple ecosystems simultaneously
  • AI-generated typosquatting and impersonation attempts

Cost-Benefit Analysis: Defending Against GlassWorm

For SMBs, the calculus is straightforward:

Mitigation Cost Risk Reduction Priority
Audit extensions immediately 1-2 hours Removes active malware Critical
Rotate exposed credentials 2-4 hours Neutralizes stolen secrets Critical
Implement automated scanning $50-200/month (Aikido/Socket) Detects future threats High
Lock dependency versions Minimal Prevents automatic updates High
Segment dev workstations Moderate (IT overhead) Contains breaches Medium

Recommended immediate investment: 4-6 hours of developer time to audit and rotate, plus automated scanning tooling (~$100/month) for ongoing protection.

Key Indicators of Compromise (IOCs)

Malicious Open VSX Extensions (Partial List)

Full list of 72 extensions [3]:

  1. aadarkcode.one-dark-material
  2. angular-studio.ng-angular-extension
  3. crotoapp.vscode-xml-extension
  4. gvotcha.claude-code-extension
  5. gvotcha.claude-code-extensions
  6. mswincx.antigravity-cockpit
  7. mswincx.antigravity-cockpit-extension
  8. otoboss.autoimport-extension
  9. twilkbilk.color-highlight-css
  10. daeumer-web.es-linter-for-vs-code

Solana Wallets

  • BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC
  • 6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ

C2 IP Addresses

  • 45.32.150.251
  • 45.32.151.157
  • 70.34.242.255

Embedded Crypto Material

  • AES key: wDO6YyTm6DL0T0zJ0SXhUql5Mo0pdlSz
  • AES IV (hex): c4b9a3773e9dced6015a670855fd32b

GitHub Decoder Pattern

w >= 0xFE00 && w <= 0xFE0F ? w - 0xFE00 :
w >= 0xE0100 && w <= 0xE01EF ? w - 0xE0100 + 16 : null

FAQ

GlassWorm is a malware campaign active since at least March 2025 that compromises software development tools (npm packages, GitHub repositories, VS Code extensions) using invisible Unicode characters to hide malicious payloads. It steals developer credentials and secrets via blockchain-based command-and-control infrastructure [1][2][4].

Attackers embed malicious code in Unicode Private Use Area characters (ranges 0xFE00-0xFE0F and 0xE0100-0xE01EF), which render as zero-width whitespace in code editors. When JavaScript executes the code, a decoder extracts the hidden bytes and runs them via eval(). The code is literally invisible to human reviewers [2][4].

No — VS Code extensions are still valuable productivity tools. However, you should:

  • Audit installed extensions against the known malicious list
  • Review extension update history for suspicious extensionPack or extensionDependencies additions
  • Implement automated scanning for new extensions
  • Rotate credentials if you find malicious extensions [3]

Run this command in your repo root:

grep -r "0xFE00" . || echo "No decoder pattern found"

For comprehensive scanning, use Aikido's free malware detection or Socket's CLI tools [2][3].

  1. Uninstall the extension immediately
  2. Check the extension's version history for when it became malicious
  3. Rotate all credentials that may have been exposed (GitHub tokens, CI/CD secrets, cloud API keys, SSH keys)
  4. Scan developer workstations for other indicators of compromise
  5. Report the extension to Open VSX or Microsoft VS Code Marketplace [3]

References

  1. Socket Research Team. "72 Malicious Open VSX Extensions Linked to GlassWorm Campaign Now Using Transitive Dependencies." Socket Dev Blog, March 13, 2026. https://socket.dev/blog/open-vsx-transitive-glassworm-campaign

  2. Makari, Ilyas. "Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories." Aikido Security Blog, March 14, 2026. https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode

  3. The Hacker News. "GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developers." March 14, 2026. https://thehackernews.com/2026/03/glassworm-supply-chain-attack-abuses-72.html

  4. James, Luke. "Invisible malicious code attacks 151 GitHub repos and VS Code — Glassworm attack uses blockchain to steal tokens, credentials, and secrets." Tom's Hardware, March 14, 2026. https://www.tomshardware.com/tech-industry/cyber-security/malicious-packages-using-invisible-unicode-found-in-151-github-repos-and-vs-code

  5. Aikido Security. "GitHub code search for decoder pattern returns 151+ repositories." March 2026. https://github.com/search?q=0xFE00%26%26w%3C%3D0xFE0F%3Fw-0xFE00%3Aw%3E%3D0xE0100%26%26w%3C%3D0xE01EF&type=code

  6. Endor Labs. "Return of PhantomRaven: 88 Malicious npm Packages with Remote Dynamic Dependencies." February 2026. https://www.endorlabs.com/learn/return-of-phantomraven

  7. Cybersecurity News. "GlassWorm Campaign Uses 72 Malicious Open VSX Extensions to Broaden Reach." March 14, 2026. https://cybersecuritynews.com/glassworm-campaign-uses-72-malicious-open-vsx-extensions/

  8. Koi Security. "Self-Spreading GlassWorm Infects VS Code Marketplace." October 2025. https://koi.security/blog/glassworm-vscode-marketplace

Get Help Securing Your Development Pipeline

If you're concerned about supply chain security but don't know where to start, get expert guidance. A cybersecurity consultation can help you:

  • Audit your current dependencies and extensions
  • Implement automated scanning in your CI/CD pipeline
  • Design credential rotation and incident response procedures
  • Train your developers on secure coding practices

Book a free consultation →

Don't wait until your credentials are stolen. Proactive security is cheaper than a breach.

Disclosure: This post reports on publicly documented security research from Aikido Security, Socket, The Hacker News, Tom's Hardware, and Cybersecurity News. Always verify IOCs against primary sources and conduct your own testing before taking remediation actions.

TL;DR (Too Long; Didn't Read)

Bad guys found a way to write invisible code that sneaks onto developer computers through popular tools like VS Code extensions and GitHub projects. Since March 2025, this "GlassWorm" attack has hidden in 151 GitHub projects and 72 fake VS Code extensions. It steals passwords and keys that developers use to build software. The good news? We know how to find it and stop it [1][2][3].

What Is GlassWorm? (The Invisible Ink Trick)

Imagine you're writing a note to a friend. You use a special pen that writes invisible ink — the paper looks blank to everyone else. But when your friend holds it under a special light, secret messages appear!

GlassWorm does the same thing with computer code. Attackers write sneaky instructions using invisible characters that computers can read but humans can't see. When developers look at the code, it looks like a blank space. But when the computer runs it, those invisible characters turn into bad programs that steal passwords [2][4].

The Magic Trick: Unicode Characters

Computers use something called Unicode to display letters, numbers, and symbols from all languages. But Unicode has a special section called the Private Use Area — think of it like a secret notebook where you can invent your own symbols.

These special symbols (called PUA characters) are invisible in most text editors and code viewers. It's like writing with a pen that only appears under ultraviolet light!

Here's what the sneaky decoder looks like (the "gap" in the empty quotes is where the invisible code hides):

// This looks like an empty string, but it's packed with invisible characters!
eval(Buffer.from(s(``)).toString('utf-8'));

When the computer runs this code, it reads the invisible characters and decodes them into a full bad program [2][4].

How Does the Attack Work? (The 3-Step Plan)

Think of GlassWorm like a burglar with a 3-step plan:

Step 1: Sneak Inside (March 3-9, 2026)

Attackers created fake pull requests to 151 real GitHub projects — projects with thousands of stars that real developers use! They also made 72 fake VS Code extensions pretending to be popular tools [1][2].

The fake changes looked like normal improvements:

  • "Let's fix this typo"
  • "Here's a better version of this function"
  • "I updated the documentation"

But hidden inside these innocent-looking changes were the invisible character payloads [2].

Step 2: Stay Hidden (Russian Disguise)

Once the invisible code runs, it checks: "Is this computer in Russia?"

If yes, it does nothing. This is like a burglar who only robs houses outside his own neighborhood to avoid local police. By skipping Russian computers, the attackers avoid detection by Russian security researchers [3][4].

Step 3: Phone Home (Blockchain Messenger)

The invisible code needs to know where to send the stolen passwords. But instead of a regular website (which can be shut down), it uses the Solana blockchain — like a public bulletin board that can never be erased!

The malware reads special messages on the blockchain to find its "boss" server. Even if security experts find and block one server, the attackers can just post a new address on the blockchain. It's like the burglar changing his hiding spot every day, but leaving clues in a public diary [3][4].

What Does GlassWorm Steal?

Once installed on a developer's computer, GlassWorm searches for:

What It Steals Why It's Dangerous
GitHub tokens Lets attackers access private code
Cloud passwords (AWS, Azure, GCP) Gives access to company servers
CI/CD secrets Lets attackers mess with software builds
SSH keys Lets attackers log into servers remotely
Environment variables Contains database passwords and API keys

Imagine if someone stole your house key, your email password, and your bank card all at once — that's what GlassWorm does to software companies [1][4].

The New Scary Trick: Extension Packs

In March 2026, GlassWorm got smarter. Instead of putting bad code directly in fake extensions, attackers found a way to use VS Code's own features against it [1][3].

The "Trojan Horse" Technique

VS Code has a feature called extension packs — bundles of useful extensions that install together. Think of it like a gift basket with multiple treats inside.

Attackers abuse this like this:

  1. Publish a nice extension — "Awesome Python Helper" that helps developers.
  2. Wait for people to install and trust it.
  3. Update it later — add a "gift" in the extension pack that secretly installs the bad extension!
  4. VS Code installs both — you thought you were getting a Python helper, but you also got malware [1][3].

This is scary because the extension looked safe when you first installed it. It only became dangerous weeks or months later through an update!

Real Examples of Fake Extensions

Some of the 72 malicious extensions pretend to be:

  • "Better Prettier" — a fake version of a popular code formatter
  • "Claude Code Extension" — pretending to be an AI coding assistant
  • "Antigravity Cockpit" — faking a real developer tool
  • "ESLint Linter" — with a publisher name that's one letter off from the real one! [3]

It's like seeing a cereal box that looks exactly like your favorite brand, but the name is "Frosted Flskes" instead of "Frosted Flakes" — close enough to trick you if you're not paying attention!

Why Can't We See the Invisible Code?

You might wonder: "Why don't code editors show us the invisible characters?"

Great question! The problem is that most tools aren't looking for them. It's like having a security guard who checks everyone's bags but doesn't look for invisible ink.

Here's why it's hard to catch:

Challenge Why It's Hard
Invisible to humans Code reviews involve people reading code — you can't see what's invisible!
Standard tools miss it Regular linters and analyzers don't scan for Unicode PUA characters
Looks normal at first Extensions appear safe when published, become malicious later via updates
AI-generated cover Attackers use AI to write convincing fake commits that look real [2][3]

What Can We Do? (The Defense Plan)

The good news is we know how to stop GlassWorm! Here's a checklist:

For Right Now (Today!)

Step 1: Check your extensions Open your terminal and run:

code --list-extensions

Look for any of these bad extensions (full list of 72 here: Socket Blog):

  • twilkbilk.color-highlight-css (fake color highlighter)
  • daeumer-web.es-linter-for-vs-code (fake ESLint — notice "daeumer" vs real "dbaeumer")
  • gvotcha.claude-code-extension (fake Claude Code) [3]

Step 2: Check your code Run this in your GitHub projects:

grep -r "0xFE00" . || echo "Safe!"

If you see matches, you might have GlassWorm [2].

Step 3: Change your passwords If you find bad extensions, immediately change:

  • GitHub personal access tokens
  • Cloud API keys (AWS, Azure, GCP)
  • CI/CD pipeline secrets
  • SSH keys

For Later (This Week)

  1. Install security tools — Aikido and Socket offer free scanning that catches invisible Unicode [2][3]
  2. Lock your dependencies — Use package-lock.json or yarn.lock to prevent automatic updates to bad versions
  3. Review extension updates — Don't just check extensions when you install them — check when they update too!
  4. Separate work and play — Don't use the same computer for coding and personal stuff

The Big Picture: Why This Matters

GlassWorm is part of a bigger problem called supply chain attacks. Instead of attacking your defenses directly, bad guys attack the tools you trust.

Think of it this way:

"If you want to rob a bank, it's safer to bribe the security guard than to break the vault yourself."

Supply chain attacks work by compromising:

  • Software libraries (like npm packages)
  • Developer tools (like VS Code extensions)
  • Build systems (like CI/CD pipelines)

When these tools are infected, everyone who uses them gets attacked — not just one company, but thousands at once!

Famous Supply Chain Attacks (Before GlassWorm)

Attack What Happened Impact
SolarWinds (2020) Bad guys hacked SolarWinds updates 18,000+ companies infected
Event-stream (2018) Malicious npm package Stole Bitcoin from developers
Codecov (2021) Uploader script modified Exfiltrated CI/CD credentials

GlassWorm is the latest evolution — using invisible code and blockchain to stay hidden longer [1][4].

The AI Connection: Why It's Getting Worse

Here's the scary part: researchers think GlassWorm uses AI (like ChatGPT or Claude) to write the fake commits that hide the malware [2].

Why does this matter?

Before AI: Writing 151 convincing fake commits would take attackers months of work. With AI: AI can generate them in hours!

This means:

  • More attacks — Faster, cheaper, and harder to detect
  • Better disguises — AI writes code that looks more realistic
  • Wider targets — Attackers can hit GitHub, npm, and VS Code all at once

It's like giving burglars a master key that can open any door — and the key keeps getting better!

What's Next? (The Future)

GlassWorm isn't going away — it's getting smarter. Here's what security experts expect:

Near Future (2026-2027)

  • More ecosystems attacked — Not just VS Code, but IntelliJ, Vim, and other editors
  • AI-generated malware — Malware that changes itself to avoid detection
  • Cross-platform attacks — Coordinated strikes across npm, PyPI, RubyGems, and more

What We're Doing About It

Good news: Security tools are fighting back!

  • Aikido offers free scanning for invisible Unicode [2]
  • Socket detects transitive dependency attacks [3]
  • GitHub is improving security advisories and Dependabot
  • VS Code is adding more security checks for extensions

The key is: you have to use these tools! It's like having a smoke detector — it only helps if you install it.

Real-World Impact: Who Got Hit?

Among the 151 compromised GitHub repositories are popular projects:

  • reworm — 1,460 stars (a reactive programming library)
  • spacefold — 62 stars (a developer tool)
  • opencode-bench — 56 stars (from the team that makes OpenCode) [2]

These are real projects that thousands of developers use. If your team depends on these libraries, you might have pulled malicious code without knowing it.

Cost vs. Benefit: Is It Worth Fixing?

For small businesses, the math is simple:

Fix Time Cost Risk Reduction
Audit extensions 1-2 hours Free Removes active malware
Rotate passwords 2-4 hours Free Neutralizes stolen keys
Install scanner $50-200/month Subscription Catches future threats

Not fixing it: Your GitHub tokens, cloud passwords, and CI/CD secrets get stolen. Average data breach cost in 2026? $4.45 million [IBM Security].

Fixing it: A few hours of work plus maybe $100/month.

You do the math!

FAQ (Questions Kids Ask)

A: No! That's the whole point. The invisible characters render as blank space in every code editor. You need special tools to detect them [2][4].

A: No! VS Code is still safe and useful. Just be careful about which extensions you install, and audit your installed extensions against the known bad list [3].

A: They used Unicode Private Use Area characters — special symbol codes that computers understand but don't display anything. It's like the "no-break space" character that looks like a regular space but is actually different [2][4].

A: Because it can't be shut down! Regular websites can be taken offline by authorities. But blockchain transactions are permanent and public — like writing on a digital wall that nobody can erase [3][4].

A: Probably not — GlassWorm targets developers, not regular users. But if you're a developer using VS Code or GitHub, you should run the checks in this article to be safe [1][2][3].

What I Learned (and Why It Matters)

Writing this article taught me that cybersecurity is like an arms race:

  1. Attackers find a new trick (invisible Unicode)
  2. Defenders build defenses (scanners, detectors)
  3. Attackers evolve the trick (transitive dependencies)
  4. Defenses evolve again (manifest monitoring, AI detection)
  5. Repeat forever!

The key lesson: You can't rely on "looks safe" anymore. Just because code looks fine when you review it doesn't mean it is. You need automated tools that check the things humans can't see.

For developers, this means:

  • Scan everything — dependencies, extensions, pull requests
  • Lock versions — don't auto-update to risky versions
  • Rotate credentials — change passwords regularly, especially after finding malware
  • Stay informed — security research moves fast; keep up with news

Get Help (If You're Scared or Confused)

If all this sounds overwhelming, you're not alone! Cybersecurity is complicated, and that's okay — there are experts who can help.

Book a free consultation →

A security expert can:

  • Check if your team is affected by GlassWorm
  • Set up automated scanning for your projects
  • Teach your developers safe coding practices
  • Help you respond if you find malware

Don't wait until it's too late. Proactive security beats panic every time.

References (For Curious Kids)

  1. Socket Research Team. "72 Malicious Open VSX Extensions Linked to GlassWorm Campaign." March 13, 2026. https://socket.dev/blog/open-vsx-transitive-glassworm-campaign

  2. Ilyas Makari. "Glassworm Is Back: Invisible Unicode Attacks." Aikido Security, March 14, 2026. https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode

  3. The Hacker News. "GlassWorm Supply-Chain Attack Targets Developers." March 14, 2026. https://thehackernews.com/2026/03/glassworm-supply-chain-attack-abuses-72.html

  4. Luke James. "Invisible malicious code attacks 151 GitHub repos." Tom's Hardware, March 14, 2026. https://www.tomshardware.com/tech-industry/cyber-security/malicious-packages-using-invisible-unicode-found-in-151-github-repos-and-vs-code

Disclosure: This article explains publicly documented security research. Always verify information and ask an adult before running commands or making security changes!

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation